Weak randomness completely trounces the security of QKD 
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In usual security proofs of quantum protocols the adversary (Eve) is expected to have full control 
over any quantum communication between any communicating parties (Alice and Bob). Eve is 
also expected to have full access to an authenticated classical channel between Alice and Bob. 
Unconditional security against any attack by Eve can be proved even in the realistic setting of 
device and channel imperfection. In this Letter we show that the security of QKD protocols is 
ruined if one allows Eve to possess a very limited access to the random sources used by Alice. Such 
knowledge should always be expected in realistic experimental conditions via different side channels. 



Introduction — The emergence of quantum theory in 
the early twentieth century led to a revolution in many 
areas of physics. One of its main features was the in- 
troduction of intrinsic randomness, originating from the 
very nature of the theory. This probabilistic nature led 
to questioning of concepts of (macro)realism and local- 
ity pQ which was considered as an unwanted consequence 
of quantum theory. True randomness, much unwanted 
from the point of view of classical physics, serves as a 
valuable resource in many cryptographic protocols. It is 
for this reason that quantum random number generators 
(QRNG) were one of the first commercially available de- 
vices utilizing basic principles of quantum physics in its 
elementary nature. 

Towards the latter part of the twentieth century it 
was recognized that quantum mechanics could lead an- 
other revolution and dramatically extend the premise 
of information processing. Classical notions of security 
underpinned by computational conditions were seriously 
threatened by the edicts of quantum mechanics and by 
the emergence of Shor's algorithm [3J. However, quan- 
tum mechanics offered a new security paradigm whereby 
the use of quantum states imparted unconditional secure 
communication through quantum key distribution ( QKD) 
[3] . Quantum key distribution protocols enable two com- 
municating parties to produce a shared random secret 
key in such a way that also reveals the presence of any 
third party. The secret key can be used later to imple- 
ment an unconditionally secure encryption protocol [I]. 

The security of QKD has been established not only for 
an ideal noiseless experimental setting, but it has also 
been proven robust within more realistic settings to the 
extent that QKD systems are now commercially avail- 
able [S]. Interestingly, the robustness of QKD protocols 
has only been proven with respect to possible attacks on 
quantum data exchanged by the communicating parties 
with the assumption that a third party possesses knowl- 
edge of all exchanged classical data. 

Sources of classical random bits, repeatedly used dur- 
ing different phases of quantum protocols, were silently 
considered being perfect. An unstated assumption in the 
standard proofs of security [SHE] is that the source of ran- 



dom bits used in the protocol is unbiased and completely 
unaccessible to the adversary. Unfortunately, however, 
perfect or unbiased randomness is very difficult to obtain 
in practice. All classical sources of random bits provide in 
fact only pseudorandom bit strings, which might be fully 
accessible to the adversary together with knowledge of its 
preparation procedure and input bits. Specialized QRNG 
devices only produce biased randomness and require clas- 
sical post processing [5] , something one has to consider as 
accessible to the adversary. Real world random number 
generators inevitably leak information via side channels 
and, thus, may be vulnerable to outside conditions (e. g., 
temperature, input power, EM radiation etc.) which are 
potentially controlled by the adversary. 

Although the problem of weak (biased) randomness 
has been broadly studied and is relatively well under- 
stood in classical information processing [TUHT5] . there 
has not been a similar analysis of its quantum counter- 
part. This may be due to the fact that there theoretically 
exists a perfect source of randomness in quantum world 
and any weaknesses are only attributed to imperfect im- 
plementation. Recent investigations however show that 
quantum information processing can help to increase se- 
curity of communication using weak randomness even for 
regions of parameters where purely classical processing 
would inevitably reveal all information to the adversary 

musl- 
in this Letter we will examine the security setting of 
QKD in which the adversary, aside from having a full 
control of the quantum and classical channel, has also 
some limited control over the sources of randomness the 
communicating parties employ during the protocol (Fig. 
1). We will show that with an increasing key length, only 
a negligible control of the randomness is necessary to ren- 
der the QKD insecure. In particular, we will demonstrate 
that the secret key individually held by communicating 
parties will differ significantly. Moreover, knowledge 
pertaining to the secret key held by the adversary will 
be comparable to the knowledge held by the receiving 
party. 

Weak sources — Random processes are usually de- 
scribed by their probability distributions. However, it 
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FIG. 1: A sketch version of the BB84 protocol. Eve has full 
access to both quantum channel (Q.C.) and to authenticated 
classical channel (A.C.C), and possesses a partial access to 
random sources of Alice and Bob. 



is insufficient to model a weak random source by a single 
probability distribution because the bias of the source is 
typically unknown. The only information usually known 
about the source is that it is random to a certain extent; 
thus, we allow the output of the weak random source 
to be distributed according to any probability distribu- 
tion containing sufficient randomness. We will quan- 
tify the amount of randomness of a distribution by the 
min-entropy of its source. The min-entropy of the ran- 
dom variable X is defined by 



flootX) = min (- log 2 Pr (X = x)) 



(i) 



A non-uniform source of randomness is an (N, b) -source 
if it emits iV-bit strings drawn according to a probability 
distribution with a min-entropy of at least b bits. Thus, 
every specific AT-bit sequence is drawn with probability 
smaller or equal to 2~ b . For b — N, one obtains a perfect 
source where all sequences are drawn with the same prob- 
ability. The bias of the source can be easily quantified by 
the min-entropy loss denoted c — N — b. A distribution is 
(N, b) -flat if it is an (TV, &)-source and it is uniform on a 
subset of 2 b sample points, i. e., each string is outputted 
with a probability of either zero or 2~ b . 

The quantity jj is called the min-entropy rate and it 
achieves unity for perfect random sources that deliver one 
bit of entropy per bit produced. We will be particularly 
interested in the min-entropy loss rate which will be de- 
noted by quantity This quantity is (almost) zero for 
(almost) perfect random sources and approaches unity as 
the quality of the source decreases. 

The QKD protocol — Here we demonstrate the attack 
using a variation of the well-known BB84 protocol [3] 
which serves as a representative for the prepare-measure 



family of protocols. 

Distribution phase: Using a random number generator 
Alice produces a 2n-bit string X. Then depending on a 
2n-bit string from a random variable Y, Alice encodes 
each bit into a qubit from one of four possible states 
{|0),|1), |+),R}. The state of the « th -qubit is condi- 
tioned on the z th -bits of both X and Y, In particular, 
each bit of X with value is encoded into either |0) or 
|+) depending on whether the corresponding bit of Y is 
or 1 respectively. A similar case holds for the bit 1 
encoding into the states |1) and |— ). Alice subsequently 
transmits all 2n-qubits to Bob. In order to obtain in- 
formation about the 2n-bit string A, an adversary will 
be compelled to interact with these transmitted qubits 
which inevitably leads to a disturbance in the transmit- 
ted sequences. 

Sifting phase: Bob measures each received qubit to 
obtain a 2n-bit string. Similar to the encoding proce- 
dure, a set of measurement bases are chosen according 
to a uniformly distributed random variable Z that out- 
puts a 2n-bit string. If the z th — bit of Z has value 0, 
Bob measures in the computational basis otherwise Bob 
measures in the diagonal basis. The sequence of mea- 
surement bases is revealed by Bob whereupon Alice then 
announces the locations of those qubits for which the 
corresponding preparation and measurement bases do no 
coincide. After discarding these qubits, Alice and Bob 
possess on average n-bit strings Xa and Xb- Following 
the sifting phase, the adversary has an estimate Xe of 
Alice's string Xa that depends on the degree to which 
the adversary interacted with the transmitted qubits. If 
there is no interaction then the adversary possesses no in- 
formation on the n-bit string Xa ■ In the case of faultless 
quantum communication, Xa and Xb will be identical. 
However, in the case of the adversary choosing to inter- 
act with many qubits, the estimate Xe will be a good 
approximation to Xa, and this causes Xb to differ sig- 
nificantly from Xa- 

Parameter estimation: The primary aim of parameter 
estimation is to approximate the number of errors be- 
tween the n-bit strings Xa and Xb- The source of the 
errors may be attributed to a combination of quantum 
channel imperfections or eavesdropping by the adversary. 
However, in security proofs, one always considers the 
worst case scenario and, thus, assumes the adversary to 
be responsible for all errors. 

Random sampling provides a way to estimate the num- 
ber of errors between Xa and Xb- According to the out- 
put from a random variable T, Alice chooses a set of bit 
positions of Xa and assigns these as the test positions. 
Alice and Bob reveal the bit value in each test position. 
The number of errors t provides a reasonable estimate r 
on the actual number of errors in the remaining bits of 
X% and Xg [7] . If the number of errors in the test po- 
sitions is excessive then there is a high probability that 
the adversary is present and the protocol is aborted. 
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In any practical application one wants the test set to 
be relatively small in order to achieve a maximal possible 
key length. In existing QKD protocols, the size of the 
test set is typically in order of y/n or log(n) [TMTBj . In 
the following asymptotic analysis, we assume the most 
general case and post only a condition that the size of 
the test set is sublinear in n. In particular, we assume it 
is equal to 0(n 1_Q ) with < a < 1. 

Information reconciliation and privacy amplification: 
Following parameter estimation, the bit strings and 
Xg contain with a high probability up to r errors. The 
goal of the information reconciliation is to remove these 
errors even at the cost of revealing some information 
about X^ and X§. This task is usually realized by one- 
way communication [7J [HI HE]- Such one way informa- 
tion reconciliation can be implemented as long as Bob 
has more information than the adversary about Alice's 
string X% Ql]. 

The goal of the privacy amplification is to remove any 
knowledge possessed by Eve about the shared string X^. 
A widely used method [501 HI] is based on the random 
choice of a hashing function. In this case, Alice randomly 
chooses a hashing function / and sends it to Bob. The 
final shared key is f(X%) = f(X§). Importantly, this 
method also uses one-way communication. 

The Adversary's attack — The use of uniform ran- 
domness is widespread throughout the various steps of 
the QKD protocol. The first instance of uniform ran- 
domness occurs during the distribution phase when Al- 
ice chooses 2n-bit strings X and Y uniformly. During 
the sifting phase of the protocol, Bob must decide on a 
set of measurement bases which is again dependent upon 
a uniformly distributed random variable that outputs a 
2n-bit string. In the parameter estimation phase, a sub- 
set of the strings is chosen as a test set according to a 
uniformly distributed random variable T and, again, an- 
other source of random bits is used to select the hashing 
function. In light of these cases, we will investigate a 
scenario in which Alice's randomness source - used to se- 
lect the positions of test qubits - is biased. Similar to 
the case of faulty quantum channels we will consider the 
worst case scenario and attribute all randomness imper- 
fections to the adversary. This can be modelled by a 
scenario whereby the adversary can influence the distri- 
bution of the random variable T to such an extent that 
the adversary is allowed to set any (n, n — c)-distribution 
to the random variable T with c denoting the strength of 
the adversary's attack. We assume that c is large enough 
to guarantee the adversary that at least half of the qubits 
will not be tested. Later we calculate the required value 
of c. 

Without the loss of generality, let us suppose that the 
first half of Bob's measurement outcomes will not be 
tested. The adversary can measure the first half of the 
2n-qubits in the {|0), |1)} basis. If Eve's measurement 
outcome is |0), she sends a state |1) to Bob and if her 



measurement outcome is |1), she sends a state |0). Fol- 
lowing this procedure and the sifting phase, the adversary 
has on average ^ measurement outcomes. The adver- 
sary adds another ^ bits chosen randomly and uniformly 
to obtain her estimate Xe of Alice's string Xa- Since 
Alice and Bob have not tested those bits measured by 
the adversary, the protocol will continue on to remaining 
phases. 

We now quantify the amount of information that Bob 
and the adversary possess about Alice's n-bit string Xa- 
To obtain the result, we calculate the Hamming distance 
H(A, B) between strings A and B. There are three cases 
to consider. Firstly, the adversary may have measured 
a transmitted qubit in the correct basis. In such a case, 
the adversary obtains a bit value that coincides with the 
corresponding bit value in Xa with Bob then obtaining 
the bit complement. This happens on average in n/4 
measurement cases. Secondly, it may happen that the 
adversary measures a transmitted qubit in incorrect ba- 
sis. Here both Bob and the adversary obtain the correct 
value with probability 1/2. This happens on average in 
n/4 bits. The final situation to consider is the case in 
which the adversary does not perform a particular qubit 
measurement. The adversary then chooses random val- 
ues for these bit positions and correctly guesses the value 
with probability 1/2. In this situation, Bob's measure- 
ment value is due to measuring in the correct basis and, 
thus, he determines the value of Alice's bit with certainty. 
This last situation occurs in n/2 of the bits. 

The amount of information that Bob and the adversary 
possess about Alice's string Xa is given by H(X B , Xa) 
and H(Xe, Xa) respectively. Both of these quantities 
are on average equal to 5n/8. Consequently, the adver- 
sary and Bob possess on average the same level of knowl- 
edge about Alice's string. As the subsequent steps of the 
protocol demand that only Alice communicates informa- 
tion, it follows that with the conclusion of the protocol, 
the adversary and Bob continue to share the same level 
of information about Alice's bit sting. This illustrates 
that ultimately there can be no privacy between Alice 
and Bob. 

The strength of the Adversary — It remains to quantify 
how much information in terms of min-entropy loss the 
adversary requires in order to prevent parameter estima- 
tion on half of the bit positions. Alice needs log ( n i™ <») 
bits to specify n 1 " 01 positions out of n. On the other 
hand, the adversary wants Alice to choose the n l ~ a test 
bits only from | of the positions. Apparently, the best 
option for the adversary - in terms of the smallest en- 
tropy loss - is to set any ^log ( n i" Q ),log (^a)Vflat dis- 
tribution to Alice's random number generator. Such a 
distribution would uniformly select test bits only within 
the pre-selected half of all positions. 

Of particular importance here will be an analysis of 
the relative behavior of two quantities; the first quantity 
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is the length of the test bit string 

N = ^ („"«> 

and the second quantity is the min-entropy loss 

Both of these quantities diverge since Alice demands 
an increased level of randomness to choose the test bits 
from an ever increasing set size. Now, the min-entropy 
loss rate c/N expresses the amount of total randomness 
required to restrict all possible test bit positions within a 
prescribed subset of the total bit set. We will show that 
the rate c/N, which is given as 

c_ _ M ml "-.)-bg( B "£) (9] 

remains finite. 

We will consider this expression in the limit of large 
n as all current security proofs for various QKD proto- 
cols have only been proven in the asymptotic regime of 
infinite key length. In evaluating the min-entropy loss 
rate c/N in the limit of large n, we will make use of the 
Stirling approximation of the factorial function log (n!) = 
(n + 1/2) log (n) — n. Furthermore, we can approximate 
the quantity c as n 1 ~ a log (2)+0 (log (n)) while the quan- 
tity N can the approximated to rt 1-Q log (n) + O (n 1_Q ) . 
The min-entropy loss rate c/N in the limit of large n can 
be evaluated to 



N log(n)' v ' 

Under the assumption of perfect randomness, all QKD 
protocols have been proven to be perfectly secure in the 
limit of an infinitely large key size. However, implement- 
ing perfect randomness is difficult. By relaxing the as- 
sumption of perfect randomness to reflect real life con- 
ditions, Eq. ([3]) illustrates that QKD no longer remains 
robust. In particular, a negligible control on the source 
of randomness renders QKD insecure. 

Entanglement based protocols — In these protocols 
[3 122] ! parties share entangled pairs of photons and em- 
ploy monogamy of entanglement to build up security. A 
portion of these states are used to check the monogamy 
- and, thus, exclude the presence of an adversary - while 
the remaining states are used to perform the protocol 
itself. The test pairs are selected by a random source 
exactly in the same way as in the prepare-measure based 
protocols. Having access to the random source of the se- 
lecting party, Eve might easily perform an attack where 
she could entangle herself to pairs not being tested in the 
future and, thereby, obtain information about the secret 
key. 



Conclusion — In this Letter we demonstrated that if 
one allows an adversary a limited access to the random 
sources used by the communicating parties then the se- 
curity of QKD protocols is be completely compromised. 
This is the case for almost all known QKD protocols that 
use part of the data set to test for an adversary. In such 
instances, the adversary is able to restrict the test sample 
efficiently. The obvious defence against such an attack is 
to increase the number of test states to a significant linear 
portion of the raw key. This would, however, profoundly 
decrease the length of the secret key. 
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